Field
The described technology relates to a method of the type for detecting whether a packet from a plurality of packets transmitted by at least one transmitting station over a network has been played back, each packet comprising a message and a packet identifier, the plurality of packets being successively transmitted over several consecutive time periods, the method including the following steps:                reception of the packet by at least one receiving station and reading of the identifier of the received packet to obtain a received identifier,        consultation, by the receiving station, of a database of identifiers already received to determine whether the received identifier has already been received, and        if the received identifier has not already been received, updating the database to include the received identifier.        
The described technology relates to the field of network security. Certain embodiments aim to protect against the playback of data packets conveyed in particular via a delay tolerant network (DTN). “Playback” refers to the fact that a data packet has been played back, i.e., transmitted by an unauthorized entity.
Description of the Related Art
The conveyance of data packets through a DTN sometimes creates a significant disruption of packet sequencing. As a result, upon receipt, the detection of playback of a packet is made more complex. In fact, the trace of all of the packets received over a very long time period is kept. This creates significant processing power and memory capacity needs.
Most of the solutions proposed in the related art are based on implementing a transmission counter, which makes it possible to identify the transmitted packets uniquely, and a sliding anti-playback table, with a fixed size, making it possible to keep the trace of the last N packets received, N typically going from 32 to 256.
In these solutions, the receiving station saves the value of the largest of the received packet identifiers, called T, and accepts a new received packet if:                the identifier is greater than T, or        the identifier is comprised in the interval [T−N+1;T] if the packet has not already been received.        
The receiver rejects packets for which:                the identifier is less than or equal to T−N+1, or        the identifier is comprised in the interval [T−N+1; T] if the packet has already been received.        
One solution to prevent playback is defined in the context of internet protocol security (IPSec) (RFC 4301). More specifically, both of the following protocols deal with this topic:                protocol n 51, AH, defined by the RFC 4302, and        protocol n 50, ESP, defined by the RFC 4303.        
In one of the proposed solutions, the anti-playback table stores the identifiers of the received packets or packets not received, the successive identifiers being able to be stored in the form of intervals in order to minimize the size of the sub-table.
Other solutions seek to limit the impact of the reception of an identifier greater than T+N, as this causes part of the stored anti-playback table to be lost. This scenario for example arises when several packets are sent over a route, then a shorter route becomes available, causing packets transmitted later to be received before packets transmitted earlier.
Thus, in one of the proposed solutions, two anti-playback tables are considered, a head table and a tail table. These tables are spaced apart by an interval storing non-received identifiers. If the receiving station receives a packet having an identifier included in that interval, this means that the packet was not received and it is sent to the recipient of the packet. The tail table is offset such that the value of the received identifier corresponds to the upper limit of the tail table.
If the receiver receives a packet with an identifier greater than T but less than T+N, the head table is offset such that the received value corresponds to the upper limit of the head table. The tail table may optionally be offset such that the memory space between the two tables is representative only of the non-received identifiers.
If the receiver receives a packet having an identifier greater than T+N, the tail table spans the head table and becomes the new head table. The received identifier then corresponds to the upper limit of the new head table.
Lastly, to the same end, in one of the proposed solutions, when the receiver receives a packet with an identifier greater than T+N, the receiving station estimates the number of valid packets that may potentially be lost if the table is offset. If that number is above a certain threshold, the received packet is rejected.
The solutions proposed in the related art only work well in situations with a very limited disruption of the sequencing of data packets through the transport network.
In light of the properties of a DTN in terms of throughput of network connections, typically from 100 kbits/s to several Mbits/s, and the storage capacity of the relays of the network, typically from one minute to several hours of network traffic, the existing solutions implement anti-playback tables able to store a very large number of packet identifiers, for example approximately one million. This makes both the manipulation and storage of the table problematic, and results in:                a latency caused by the anti-playback protection mechanism that may significantly affect the performance of the security equipment,        a risk of false detection of the playback of a packet, and        a risk of packet playback not being detected.        
One aim of certain embodiments is therefore to provide a method for detecting playback that resolves or minimizes the aforementioned problems.